← 返回 Skills 市场
529
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install molit-real-estate
功能描述
MOLIT apartment real transaction price API
安全使用建议
The skill implements the claimed MOLIT API calls, but it contains a clear inconsistency: SKILL.md tells users to save their API key at ~/.config/data-go-kr/api_key while the script reads /home/scott/.config/data-go-kr/api_key. Before installing or using this skill: 1) Inspect and edit scripts/real_estate.sh to remove the hardcoded '/home/scott' path (use $HOME or the documented ~/.config path, or better accept an env var). 2) Require the skill metadata to declare the config path or env variable for the API key so the agent can surface that requirement. 3) Consider storing the key with correct permissions and avoid putting secrets into logs; note the script sends the key as a URL parameter (common for this API) which can show up in server logs—if concerned, prefer POST or server-side proxying. 4) Test the script in a sandbox with your key and confirm it only queries apis.data.go.kr and prints results. If you are not comfortable editing the script to remove the hardcoded path, do not install the skill.
功能分析
Type: OpenClaw Skill
Name: molit-real-estate
Version: 2.2.0
The skill is classified as suspicious due to a critical shell injection vulnerability in `scripts/real_estate.sh`. The script directly interpolates user-controlled arguments (`$1`, `$2`, `$3`) into a `python3 -c "..."` command without proper escaping. This allows an attacker, via prompt injection against the OpenClaw agent, to execute arbitrary shell commands on the host system, leading to Remote Code Execution (RCE). Additionally, the script hardcodes the API key path to `/home/scott/.config/data-go-kr/api_key`, which is a bug that may prevent the skill from functioning correctly for other users.
能力评估
Purpose & Capability
The skill's stated purpose (query MOLIT real transaction API) matches the network call in scripts/real_estate.sh, so functionality is coherent. However, the metadata claims no required config/credentials while SKILL.md and the script both rely on a local API key file — that discrepancy is unexpected and disproportionate to the stated metadata.
Instruction Scope
SKILL.md instructs storing the API key at ~/.config/data-go-kr/api_key, but scripts/real_estate.sh opens '/home/scott/.config/data-go-kr/api_key' (an absolute, user-specific path). The script reads a local file and makes outbound HTTPS calls to the public MOLIT endpoint (expected), but the hardcoded /home/scott path is out-of-scope for a general skill and may cause accidental disclosure or failed runs.
Install Mechanism
No install spec (instruction-only plus an included script). Nothing is downloaded or extracted from arbitrary URLs; risk from install mechanism is low.
Credentials
The skill requires an API key to call data.go.kr, yet registry metadata declares no required env vars or config paths. The SKILL.md suggests storing a key in ~/.config/data-go-kr/api_key but the script ignores that and reads a hardcoded '/home/scott' path. This is a mismatch and an overreach (the skill should declare a single, configurable credential location or allow passing the key via env var).
Persistence & Privilege
The skill is not always-enabled and does not request system-wide privileges. It does not modify other skills or global configuration in the provided materials.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install molit-real-estate - 安装完成后,直接呼叫该 Skill 的名称或使用
/molit-real-estate触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v2.2.0
아파트 실거래가 조회 — 국토교통부 MOLIT API
元数据
常见问题
국토부 부동산 실거래가 是什么?
MOLIT apartment real transaction price API. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 529 次。
如何安装 국토부 부동산 실거래가?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install molit-real-estate」即可一键安装,无需额外配置。
국토부 부동산 실거래가 是免费的吗?
是的,국토부 부동산 실거래가 完全免费(开源免费),可自由下载、安装和使用。
국토부 부동산 실거래가 支持哪些平台?
국토부 부동산 실거래가 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 국토부 부동산 실거래가?
由 김성우(@sw326)开发并维护,当前版本 v2.2.0。
推荐 Skills